Thales Blog

Tokenization: A Critical Innovation For Payments Security

March 3, 2015

On 24 February 2015, Visa Europe announced a tokenization service which will be available by mid-April for its member banks. This initiative may have important ramifications, especially for the emerging mobile payments landscape.

Until recently tokenization had been used mainly by acquirers to help merchants reduce their PCI DSS scope and devalue data stolen by fraudsters. The Visa solution (which is based on the EMVCo tokenization standard) is designed specifically to assist issuers with isolating sensitive account data between the various payment channels in order to reduce fraud from stolen or counterfeit credentials.

This means that the 16 digit number used for the transaction has different values for a mobile contactless transaction (e.g. Apple Pay or the emerging Android-based host card emulation (HCE) transactions) or for an e-commerce transaction. The only thing that remains constant is the real PAN which is held securely by the issuer and which currently is used by magnetic stripe and EMV card transactions at POS terminals or ATMs. With the Visa tokenization scheme in place if the data on a mobile transaction is compromised it is of no use to the fraudster in creating counterfeit cards which is still by far the biggest fraud threat.

However, tokenization does bring some attendant challenges. Whoever is running a tokenization initiative will have to store tokens and their correspondent PANs – i.e. the really valuable card information – in a ‘token vault’. The token vault naturally becomes a single point of attack for criminals. The bank, scheme or merchant implementing tokenization will also have to make sure they minimize the impact on the existing transaction processing infrastructure, for example by supporting chargebacks or the routing tables controlled by the acquirers – it is not a no impact solution for all participants.

It remains to be seen how much control issuing banks will want to take over the tokenization process. The easier route of course will be to outsource tokenization to a third party such as Visa Europe. This adds an additional operational cost but will mean their IT departments are not burdened with developing or implementing a solution in house. The security vendor community will be searching for solutions that make it easier for banks to perform tokenization and de-tokenization in-house so that they can get their share of the pie.

With the card schemes and other stakeholders in the value chain sensing revenue opportunities, it is not currently evident who will emerge as the major winners. What is clear is that tokenization is going to dramatically reduce the impact of data breaches for issuers, with less and less sensitive data now flowing through the merchant side of the payment networks, especially in the contactless NFC mobile payments space.